Where to store API keys and other 'secrets' in a yesod app

268 views Asked by At

I'm trying out a yesod applications which I will eventually put up on github or similar.

I will use oauth2 with google which means I have to provide an email and secret token. Which I obviously do not want up on github.

What is a good place to store these in a yesod scaffolded application? I'm hoping to store it in a seperate, config/secret.yml for example, so I can put that into the ignore file of git/mercurial and never commit it.

But i can't find out how to include such a file. Or if such a file already is provided by yesod. config/settings.yml seemed possible, but there's entries there which I would like in github.

So my question is, in a yesod scaffolded application. Where can I store secret keys in a way I can easily exclude it from version control systems?

1

There are 1 answers

2
Michael Snoyman On BEST ANSWER

There are many approaches to this, mostly depending on what flavor of devops/hosting your prefer. One option is to put a dummy value in the config file and override it with an environment variable at runtime (see: https://github.com/yesodweb/yesod/wiki/Configuration#overriding-configuration-values-with-environment-variables). You can also having an extra settings file for production that overrides the values in the default config file, which is how the test suite works. A completely different approach would be to use a system like vault in production and query it for your secure credentials.

EDIT To spell out one of the approaches:

  1. Create a new YAML file with the settings you won't to override, e.g. in config/production.yml:

    copyright: This is a copyright notice for production
    
  2. When you run the application, pass in a command line argument giving the location of the config file